diff options
| author | Ken Rockot <rockot@google.com> | 2021-03-23 21:13:00 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-19 22:35:00 +0000 |
| commit | e2170d719950d7c48d767ea09be1617a63707e24 (patch) | |
| tree | 3b05d35e6e49db23d32368af457ed1096f268449 | |
| parent | ccaea82df05952b19a7de1f9fdaf6ffe9ea98232 (diff) | |
[Backport] CVE-2021-21207: Use after free in IndexedDB
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2778871:
Never fail in ReceiverSet::Add
Because of how UniqueReceiverSet is implemented and used, it is
dangerous to allow Add() to fail: callers reasonably assume that added
objects are still alive immediately after the Add() call.
This changes ReceiverId to a uint64 and simply CHECK-fails on
insert collision.
This fundamentally increases binary size of 32-bit builds, because
a widely used 32-bit data type is expanding to 64 bits for the sake
of security and stability. It is effectively unavoidable for now, and
also just barely above the tolerable threshold.
A follow-up (but less backwards-mergeable) change should be able to
reduce binary size beyond this increase by consolidating shared
code among ReceiverSet template instantiations.
Fixed: 1185732
Change-Id: I9acf6aaaa36e10fdce5aa49a890173caddc13c52
Binary-Size: Unavoidable (see above)
Commit-Queue: Ken Rockot <rockot@google.com>
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865815}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/mojo/public/cpp/bindings/receiver_set.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/mojo/public/cpp/bindings/receiver_set.h b/chromium/mojo/public/cpp/bindings/receiver_set.h index 6cd2b982077..84ac4527dae 100644 --- a/chromium/mojo/public/cpp/bindings/receiver_set.h +++ b/chromium/mojo/public/cpp/bindings/receiver_set.h @@ -24,7 +24,7 @@ namespace mojo { -using ReceiverId = size_t; +using ReceiverId = uint64_t; template <typename ReceiverType> struct ReceiverSetTraits; @@ -361,11 +361,11 @@ class ReceiverSetBase { Context context, scoped_refptr<base::SequencedTaskRunner> task_runner) { ReceiverId id = next_receiver_id_++; - DCHECK_GE(next_receiver_id_, 0u); auto entry = std::make_unique<Entry>(std::move(impl), std::move(receiver), this, id, std::move(context), std::move(task_runner)); - receivers_.insert(std::make_pair(id, std::move(entry))); + auto result = receivers_.insert(std::make_pair(id, std::move(entry))); + CHECK(result.second) << "ReceiverId overflow with collision"; return id; } |